Brl.ntt.co.jp

D. Bacon, A.M. Childs and W. van Dam,2005:(1) is of importance when trying to solvethe hidden subgroup problem for semi-direct It also appears in the theory cyclotomic classesans is a natural generalization of the discretelogarithm problem.
We use some number theoretic results, to de- that are more efficient than the brute force search (but unfortunately still exponential in We use our classical algorithm to measure the level of improvement that can be achieved by In particular, it gives an example of a natural an asymptotically cubic speed-up over clas- If f or g is a primitive root, then the problem is not harder than the DLOG problem.
general our results suggest that finding solu- tions to Equation (1) becomes easier in cases where f or g is of large order, but still it ap- pears to be harder than the DLOG problem.
We start with a classical deterministic algo- rithm that is more efficient than brute search.
ther find a solution x, y ∈ Z≥0 of the equationaf x +bgy = c or decide that it does not have a solution in deterministic time q9/8(log q)O(1) Furthermore, for almost all c a stronger result solution x, y ∈ Z≥0 of the equation af x+bgy =c or decide that it does not have a solution in deterministic time q(log q)O(1) on a classical tage that calculating discrete logarithms can be done efficiently. In combination with the quadratic speed-up of quantum searching this gives the following quantum algorithm for the We start with an algorithm that works for any g be of multiplicative orders s and t, respec- tively. There is an absolute constant C such ther find a solution x, y ∈ Z≥0 of the equationaf x + bgy = c or decide that it does not have a solution in time q3/8(log q)O(1) for any s and t; and in time q1/2(st)−1/4(log q)O(1) if As in the classical case, for almost all c ∈ Fqstronger results are possible.
g be of multiplicative orders s and t, respec- tively. On a quantum computer, for all but solution x, y ∈ Z≥0 of the equation af x +bgy = c or decide that it does not have a solution in time q1/3(log q)O(1) for any s and t; and in time q1/2(st)−1/4(log q)O(1) if st > The Hidden Subgroup Problem over the group shows that this problem can be solved effi- where f has multiplicative order p in Zq.
Unfortunately, all algorithms presented in this For this restricted problem with f = g and f lutions (x, y), hence even a classical algo- Quantum mechanically, one can ‘Grover search’ the set of solutions x ∈ {0, . . . , p − 1} in time Theorem 3 but is still far from polynomial in gorithms that run in time (log q)O(1) for solv- ing the equation af x + bgy = c and the more restricted version af x + bf y = c over Fq.
In some finite fields classical subexponential probabilistic algorithms are possible for the In such fields, a version of Theorem 1 can be obtained with an algorithm that runs in prob- abilistic time q3/4+o(1), which is still much slower than the quantum algorithm of Theo- One can obtain analogues of our results in the elliptic curve setting, where no subexpo- nential algorithms for the DLOG problem are • Find the orders s and t of f and g, re- • If one of them (say, t) is small, then we search through all y = 1, . . . , t and try to find the DLOG of (bgy − c)/a to base f .
Since t is small this is not too expensive.
• If both of them are large, we show that there is always a solution to (1) with y ≤ proceed as in in the previous case but run Obtaining a good estimate on r is crucial! To estimate r, we use traditional number the- oretic tools such as bounds of multiplicative where χ and ψ are multiplicative and additive In fact we obtain an asymptotic formula for the number of solutions to (1) with y ≤ r which has an additional advantage in the quan- tum case as we can promise a certain density be of multiplicative orders s and t, respec-tively.
solutions in nonnegative integers x and y withx ∈ {0, . . . , s − 1} and y ∈ {0, . . . , r − 1}.
Let Xk = {χ : χk = χ0} be the group of allk multiplicative characters χ of order k, Changing the order of summation and sepa- rating the term r/k corresponding to the prin-cipal character χ0 we obtain of multiplicative orders s and t, respectively.
There exists an absolute constant C > 0 such then the equation af x +bgy = c has a solution in integers x and y with x ∈ {0, . . . , s − 1} and solution x, y ∈ Z≥0 of the equation af x+bgy =c or decide that it does not have a solution in time q3/8(log q)O(1) on a quantum computer.
Using Shor’s discrete logarithm algorithm: • Create a poly-time quantum subroutine S(x) that, for a given x either finds andreturns the integer y with gy = b−1(c − af x) or reports that no such y exists.
• Create a quantum subroutine T (y) that, for a given y either finds and returns the integer x with f x = a−1(c − bgy) or reports Use Shor’s algorithm to compute s and t.
• If r ≤ t, then using Grover’s algorithm, search the subroutines S(x) for all x ∈{0, 1, . . . , r − 1} in time Due to our choice of r, by Corollary 6 inthis case there is always a solution.
• If r > t, then we search the subroutines T (y) for all y ∈ {0, 1, . . . , t − 1}, in time We either find a solution or conclude that

Source: http://www.brl.ntt.co.jp/tqc/2008/doc/program/QC-ExpCong-sld.pdf